Date: Wed, 16 May 2012 14:49:29 -0700 From: Andrew Leonard <lists@hurricane-ridge.com> To: Rick Macklem <rmacklem@uoguelph.ca> Cc: freebsd-fs@freebsd.org Subject: Re: Unable to set ACLs on ZFS file system over NFSv4? Message-ID: <CADUQDp-oq%2BA6s65f28ZQRipsuXS4KLMofy6xwu_WxpFcw0_Vyw@mail.gmail.com> In-Reply-To: <1831201709.296992.1336789851115.JavaMail.root@erie.cs.uoguelph.ca> References: <CADUQDp-QHqXtRtTQfm4y7sEZhZeesR0=WBiUWP39XUzr92gUXg@mail.gmail.com> <1831201709.296992.1336789851115.JavaMail.root@erie.cs.uoguelph.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, May 11, 2012 at 7:30 PM, Rick Macklem <rmacklem@uoguelph.ca> wrote: > Andrew Leonard wrote: >> On Thu, May 10, 2012 at 2:23 PM, Rick Macklem <rmacklem@uoguelph.ca> >> wrote: >> >> > I wrote: >> >> >> If you capture a packet trace from before you do the NFSv4 mount, I >> >> can >> >> take a look and see what the server is saying. (Basically, at mount >> >> time >> >> a reply to a Getattr should including the supported attributes and >> >> that >> >> should include the ACL bit. Then the setfacl becomes a Setattr of >> >> the >> >> ACL >> >> attribute.) >> >> # tcpdump -s 0 -w acl.pcap host <server> >> >> - run on the client should do it >> >> >> >> If you want to look at it, use wireshark. If you want me to look, >> >> just >> >> email acl.pcap as an attachment. >> >> >> >> rick >> >> ps: Although I suspect it is the server that isn't behaving, please >> >> use >> >> the FreeBSD client for the above. >> >> pss: I've cc'd trasz@ in case he can spot some reason why it >> >> wouldn't >> >> work. >> >> >> > Oh, and make sure "user1" isn't in more than 16 groups, because that >> > is the >> > limit for AUTH_SYS. (I'm not sure what the effect of user1 being in >> > more >> > than 16 groups would be, but might as well eliminate it as a cause.) >> >> Thanks, Rick - I'll send the pcap over private email, as I'm sure >> $DAYJOB would consider it somewhat sensitive. >> >> Looking in wireshark, if I'm reading it correctly, I don't see >> anything for FATTR4_ACL in any replies. On the final connection, I do >> see NFS4ERR_IO set as the status for the reply to the setattr - but >> from Googling, my understanding is that response is supposed to >> indicate a hard error, such as a hardware problem. >> > Yep, it appears that ZFS returned an error that isn't in the list of > replies for getattr, so it got mapped to EIO (the catch all for error > codes not known to NFS). > > I took a quick look at the ZFS code and the problem looks pretty > obvious. ZFS replies EOPNOTSUPP to the VOP_ACLCHECK() and that's > as far as it gets. > > Please try the attached patch in the server (untested, but all it does is go ahead > and try the VOP_SETACL() for the case where VOP_ACLCHECK() replies > EOPNOTSUPP) and let me know if it helps. It took me a little while to get a test environment set up, but with the patch applied, ACLs can be set on the ZFS file system over NFSv4. Thanks, Andy > Thanks for reporting this and sending the packet trace, rick > >> Also, I have verified that "user1" is not a member of more than 16 >> groups, so we can rule that out - that user is in only three groups. >> >> -Andy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADUQDp-oq%2BA6s65f28ZQRipsuXS4KLMofy6xwu_WxpFcw0_Vyw>